I'm working with a new client that's transitioning to a fully remote workforce and they need to stay HIPAA compliant. They're also considering allowing employees to bring their own devices (BYOD) in the near future. We're looking into options like an always-on VPN with Microsoft's E5 license or perhaps a Meraki Z4 with Auto VPN for each employee. There are also suggestions for using Citrix or some Desktop-as-a-Service, ideally using Azure. My main concern is about potential security risks from local devices interacting with secured ones, especially if they have malware. While a VPN can help with traffic sniffing issues, I'm worried about how well Windows Firewall and Endpoint Detection & Response (EDR) could prevent direct compromises if we skip adding an extra firewall like a Z4. I know that local traffic access to secured devices might be a risk if the internet goes down, but I want to ensure that our approach is robust and can adapt to future needs. We're also planning to use Intune for device compliance, RMM for patching, BitLocker for encryption, and EDR for safeguard against threats. I'm looking for insights on experiences with Microsoft's always-on VPN, sizing considerations, any potential pitfalls, and other ways to address these HIPAA compliance challenges for remote work.
5 Answers
I'd strongly advise against allowing BYOD in any HIPAA-compliant work environment. It complicates compliance and security considerably, especially with patch management and monitoring. If your client insists, maybe consider employing a third-party auditor for guidance—it could save them major headaches down the line.
It might be simpler to just say 'no BYOD, only company-issued devices' that are encrypted and secured to minimize risk. Sure, it feels restrictive, but it protects sensitive data better. You can always use thin clients and host work on secured company systems to avoid data from lingering on user devices altogether, even if that sounds a bit old school.
Thanks for your input! I see the appeal in denying BYOD outright to simplify things, but I'm hoping for a middle ground that still respects security needs without limiting productivity too much.
We adapted during the pandemic with BYOD using Splashtop before investing in laptops. It was a workaround, but not the best long-term solution. If you have an Azure setup, it could serve as a secure remote desktop access point for your team, though it demands maintaining high availability.
Thanks for sharing! Utilizing Azure RD as a remote access point sounds viable, even though it does come with its own challenges in terms of resource management.
If you manage the hardware, it’s just easier to ensure compliance. BYOD is a big red flag for HIPAA compliance. You cannot verify device security unless it's fully managed, and that’s going to lead to headaches.
Got it! The feedback I'm hearing reinforces this idea that BYOD isn’t worth the hassle. I want our strategy to prioritize security, especially handling patient data.
I've worked in a HIPAA setting with company-supplied devices and we never restricted local network access. Our patient data was accessed through secure web portals and not stored on local devices. However, they did implement strict login protocols with MFA for every session, making it challenging to bypass security even if local access was allowed.
I appreciate your experience! Ideally, we want to enforce no PHI on local drives, but I worry more about someone trying to circumvent rules during busy periods. Keeping PHI off personal devices entirely seems like the best approach.
That’s a great point; it’s tough to argue against the cost of potential breaches. Thanks for the suggestion about involving an auditor—definitely something to bring up!